Legitimate Interest and Data Protection
In the field of data protection, and under the General Data Protection Regulation (GDPR), the data subject’s consent has become one of the primary legal bases for processing personal data.
However, consent is not the only legal ground. The GDPR also recognizes situations where data processing may be justified without the need to obtain the data subject’s explicit consent. In this context, the legitimate interest of the data controller emerges as a valid alternative, although its application is limited and always subject to safeguards.
Processing of data without explicit consent
The GDPR, in its Article 6.1(f), establishes that processing shall be lawful when “it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or the fundamental rights and freedoms of the data subject.”
This means that it is not always necessary to obtain formal consent in order to process data.
Some practical examples in which legitimate interest may justify the processing are:
- Fraud prevention: verification of suspicious operations or monitoring of unauthorized access.
- Cybersecurity: controlling access to networks and systems, using firewalls, or detecting cybersecurity incidents.
- Video surveillance in the workplace for security purposes, properly signposted and respecting proportionality.
- Protection of legitimate business interests, such as defense against possible claims.
In all cases, the controller must demonstrate that the interest pursued is real, specific and legitimate, and that the processing is necessary to achieve it.
The limit of legitimate interest with privacy and intimacy
Legitimate interest cannot become a way to process data without limits. On the contrary, the GDPR requires that a balancing test be carried out, weighing on the one hand the interest of the controller and, on the other, the fundamental rights of the data subject.
In fact, the following principles must be taken into account in order to limit the proportionality, necessity and feasibility of processing data on the basis of a legitimate interest of the controller:
- Necessity and proportionality: only the data strictly necessary for the intended purpose may be processed.
- Data minimization: excessive or disproportionate processing that affects individuals’ privacy is prohibited.
- Transparency: data subjects must be clearly and comprehensibly informed that their data are processed on the basis of legitimate interest and that they may exercise their right to object.
- Impact assessment: in cases where there is a high risk to privacy, it may be necessary to carry out a Data Protection Impact Assessment (DPIA).
Position of the AEPD
The Spanish Data Protection Authority (AEPD) maintains a cautious and strict view on the use of legitimate interest as a legal basis. Among its main criteria are:
- Documentation of the balancing test (DPIA): the AEPD requires the controller to carry out and retain a formal analysis identifying the interest pursued, assessing the necessity of the processing and evaluating the impact on the rights of the data subjects.
- Enhanced transparency: it recommends that privacy policies explicitly include reference to legitimate interest as the legal basis, detailing the purposes and the right to object.
- Respect for the right to object: users must have access to a simple and cost-free mechanism to object to the processing of their data when this is based on legitimate interest.
In its decisions, the AEPD has sanctioned practices where legitimate interest was invoked in a generic manner or without a genuine proportionality analysis. The Authority reminds that legitimate interest cannot be a catch-all, but rather an exceptional basis that requires individualized justification.
In conclusion, Legitimate interest is a useful tool that allows companies and organizations to process data in certain circumstances without the need for express or explicit consent. However, its use requires caution: the controller must justify the necessity of the processing, document a balancing test and guarantee transparency and the rights of the data subjects.
Nevertheless, the right to privacy and intimacy of the data subject must be taken into account: if the processing involves a significant impact on the personal sphere, consent will continue to be essential. In addition, it will be necessary to demonstrate that the balance between the business interest and the rights of the individuals concerned has been properly analyzed.
Midiala Fernández es abogada especialista en propiedad intelectual, derecho de las nuevas tecnologías y protección de datos.
Desde 2019 asesora en materias como comercio electrónico, marketing digital, publicidad, competencia desleal y ciberseguridad. Es graduada en Derecho por la Universidad Complutense de Madrid y cuenta con formación de posgrado en derecho y compliance TIC por la Universidad Camilo José Cela.
More from my site
Use of video cameras for security in the domestic sphere: how does it affect data protection?
Legal considerations on the use of the Studio Ghibli visual style: copyright and data protection
The EDPB clarifies rules for data exchange with authorities in third countries and approves the EU Data Protection Seal Certification
The Phone House and the Data Protection Agency face off in court over a 6.5€ million fine
Video surveillance in the workplace and data protection
The Data Protection Officer (DPO) Cannot Represent Their Client